FixVibe

// secrets / spotlight

JWT Integrity (alg confusion, weak secrets)

If your JWT verifier trusts the token's own header, it will believe whatever the attacker types.

Kaitnya

JSON Web Tokens are the standard auth-state-in-a-cookie of the 2020s, and they fail in predictable ways. The flaws aren't in the spec; they're in the verifiers, which were too forgiving for too long. The result: a small set of attacks that have worked across thousands of production codebases โ€” alg=none, key confusion, weak secret brute-force, key-id traversal. They all boil down to the same root cause: trusting metadata that the attacker controls.

Cara kerjanya

A JWT is three base64url segments โ€” header.payload.signature. The header includes an `alg` field declaring how the signature was computed. Older verifier libraries read `alg` and dispatch to the matching verification routine. Tell them `alg: "none"` and they'd happily accept an unsigned token. Tell them `alg: "HS256"` (symmetric HMAC) when you've previously been signing with `RS256` (asymmetric RSA), and many libraries would use your *public* key as the HMAC secret โ€” which the attacker has, because it's public. The third path is brute force: HS256 with a weak secret like `secret`, `changeme`, or your project name is crackable in seconds.

Varian-variannya

alg: none

Attacker forges a token with header `{"alg":"none"}` and an empty signature. Naive verifiers skip signature checking. Fixed in most libs by 2017 but still appears in custom verifiers.

RS256 โ†’ HS256 confusion

Token claims symmetric algorithm; verifier hands the public key to HMAC.verify as if it were a shared secret. Attacker, who has the public key, signs forgeries with it.

Weak HMAC secret

A 6-char dictionary word as the signing secret falls to GPU-accelerated cracking in under a minute. Hashcat eats these for breakfast.

kid header traversal

Tokens reference a key by `kid`. If your app reads that header and uses it as a file path or SQL parameter, the attacker can point you at a key they control.

Radius dampak

A forged JWT is full impersonation. Account takeover for any user the attacker can name, role escalation by setting `admin: true` in the payload, bypass of any authorization that trusts the JWT's claims. If your JWT is the auth token for an API, the attacker is the API.

// apa yang fixvibe periksa

Apa yang FixVibe periksa

FixVibe checks shipped client assets for high-confidence secret exposure signals and known credential formats. Reports identify the affected asset and rotation path. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Pertahanan kokoh

Pin the algorithm in your verifier โ€” never read `alg` from the token. If you support multiple algorithms, dispatch on a server-side decision (e.g. by issuer), not on the token's self-description. Use HS256 only with a high-entropy random secret (โ‰ฅ32 bytes from a CSPRNG); use RS256/ES256 for anything cross-service. Rotate keys on a schedule and treat compromise as a planning exercise, not a fire drill. Validate the `aud`, `iss`, `exp`, `nbf` claims on every verification. Don't put authorization decisions inside JWT claims you re-fetch from the database; treat the token as identity, not as authority.

// run it on your own app

Terus rilis sementara FixVibe yang berjaga.

FixVibe menguji permukaan publik app kamu sebagaimana seorang penyerang akan melakukannya โ€” tanpa agent, tanpa instalasi, tanpa kartu. Kami terus meneliti pola kerentanan baru dan mengubahnya jadi check praktis serta perbaikan siap-tempel untuk Cursor, Claude, dan Copilot.

Secrets
39
tes yang dijalankan di kategori ini
modules
5
check secrets khusus
setiap pemindaian
487+
tes di seluruh kategori
  • Gratis โ€” tanpa kartu kredit, tanpa instalasi, tanpa ping Slack
  • Cukup tempel URL โ€” kami crawl, probe, dan laporkan
  • Temuan berperingkat severity, di-dedupe jadi sinyal saja
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Jalankan scan gratis โ†’

// latest checks ยท practical fixes ยท ship with confidence

JWT Integrity (alg confusion, weak secrets) โ€” Sorotan Kerentanan | FixVibe ยท FixVibe